Navigating Social Media Issues in Medical Practice: An Expert Interview

Posting photographs of the practice can lead to some serious violations

According to a recent PEW report, 70% of Americans use social media, up from only 5% in 2005.1 A separate report indicated that an increasing number of American employees across the board in a range of industries are using social media while in the workplace, with the top 2 reasons being taking a mental break and connecting with friends and family while at work.2 In fact, several studies have suggested that restrictions against use of social media at work may adversely influence the hiring process by deterring would-be employees from accepting employment.3

Issues that affect employees in all industries are compounded by a unique set of additional concerns that affect employees of medical practices. To shed light on the issues related to social media in medical practices, MPR spoke to Michael J Sacopulos, JD, CEO of Medical Risk Institute (MRI), a firm that provides “proactive counsel” to the healthcare community to identify where liability risks originate and to reduce or remove those risks. He is also General Counsel to Medical Justice Services. Mr Sacopulos is the coauthor of Tweets, Likes, and Liabilities: Online and Electronic Risks to the Healthcare Professional (Greenbranch Publishing: 2018).

How did you come to write your book?

I began to consider some of the complexities of practicing medicine in the digital age and the number of risks that accompany social media and the Internet. I am a lawyer whose career began doing medical malpractice defense work. This was clearly not my niche and I didn’t enjoy it. I decided to keep physicians out of trouble rather than defending them once they got into trouble. The basis of my career is to look at where trouble potentially originates and help physicians come up with plans to avoid it. My coauthor, Susan Gay, had written an earlier book about online reviews and ratings of medical professionals. Our book was a natural outgrowth of her previous work and my current interests.

Who is your primary target audience?

I represent individual physicians or physician practices, and my book was designed to help these physicians or their office managers address digital challenges. Although many of the same issues apply to larger health systems, those typically have in-house counsel and compliance officers, while smaller practices have the same obligations but do not have the resources or infrastructure of larger health systems.

Are there guidelines for physicians regarding their use of social media?

The Federation of State Medical Boards has issued Model Guidelines for the Appropriate Use of Social Media and Social Networking in Medical Practice,4 which contains the “industry standards” for cyber security, online behavior, and patient privacy. I advise all of my clients and the medical practices I work with to familiarize themselves with these guidelines.

What are the parameters of an employee’s use of social media?

There are 2 aspects of using social media as an employee of a medical practice. One is during work hours and the other is on one’s own time. A practice’s social media policies can’t be too restrictive, but on the other hand, social media posts must respect patients and do no harm to the practice.

Obviously, there are concerns about distractibility and whether an employee’s attention is diverted by posting on Facebook or some other forum during work hours. This concern is across the board in all industries, not only medical.

But there are additional concerns that specifically apply to medical practices.

For example, it is legal to criticize one’s superior in a personal Facebook post. I know one case in which someone contacted her friend, a dental assistant, on a personal Facebook page to find out if her employer does dental implants. “Oh, he tries,” the dental assistant responded. While that may not be illegal, it’s definitely disrespectful. I’m sure the dentist did not want that type of comment out there.

On the other hand, there are aspects of work that would be completely inappropriate to post, even on a personal Facebook page.

What types of posts would be inappropriate for medical practice employees to post on their own social media sites?

Any practice-related matter concerning a patient would be a violation of HIPAA and inappropriate to post, even without mentioning the patient’s name. For example, there was a case with a nurse at a hospital who was in the ER when a police officer was shot and brought in, together with the alleged shooter, both being treated for gunshot wounds. The officer ended up dying from his injuries. The nurse went home and posted, “I had to take care of a cop killer today. Hope he burns in hell.” This was considered by her employer to be a violation of privacy and she was fired. I could see how some people would not see this as a breach of privacy because no names were used, but the facility had a firm policy in place that any post about a patient situation was grounds for dismissal.

What is the role of “policy” in these issues?

The role of “policy” is very important. There was a case of a female patient at a medical center who was given a diagnosis of an STD. Her ex-boyfriend worked at the facility, copied her records, and posted them with a derogatory heading about her. He was fired because the facility was able to determine that he had accessed the record in an unauthorized way, as he was not involved in her care. The patient sued the facility, but the facility was shielded from liability because they had a specific policy in place prohibiting employees not involved with a given patient’s care to access that patient’s records. There were also mechanisms in place to detect when that happened, and the facility took immediate action to dismiss the employee. It was ruled that although the employee had violated HIPAA, the facility was not held responsible.

You mentioned unauthorized access. Beyond use of social media to disseminate patient information, what concerns are there and how might those be addressed?

It is essential for practices to monitor their electronic records to make sure unauthorized individuals are not accessing them. There have been many accounts of hospital employees looking at the medical records of celebrities – for example, when one of the Kardashians had a baby, many people unrelated to her care looked at her electronic records and all were fired.

The issue is not confined to celebrities. I remember a case that took place in a tiny rural town in which everyone knew everyone else. A group of teenagers used some type of synthetic drug at a party. Ten partygoers ended up in the hospital and 1 of them died. There were at least 30 hospital employees who accessed those records. My guess is they were not malicious, only concerned for their friends and neighbors. But they were all fired because of this.

What other privacy concerns might be unique to medical practices?

Posting photographs of the practice can lead to some serious violations if a patient chart or any information with a patient’s name accidentally is caught in the picture. It can also be problematic if a patient is inadvertently photographed. In a recent case, an employee in a plastic surgeon’s office took a picture of a fellow employee who had a new hairstyle. What she didn’t realize was that there was a patient standing nearby who ended up being in the picture. The picture was subsequently posted on the employee’s personal Facebook. The patient somehow became aware of it and was none too happy that people had found out that she was going to a plastic surgeon.

Do you have any other advice for physicians?

None of these issues are terrible, intractable problems. They arise because practitioners are not aware of the shifting and rapidly expanding social media landscape. If you follow the guidelines and pay attention to potential issues that might arise, then with relatively little expense and effort, you can avoid a lot of these problems and benefit from the upsides of the digital age without the downsides.

It is also important to recognize that these issues do not only concern compliance but also patient safety. There are patients who are afraid to seek medical or mental health help because they are afraid their data or privacy will be compromised. People’s confidence in the integrity of your staff and strength of your cyber systems are an important part of building trust and enabling you to practice medicine.